Snort mailing list archives
Re: Snort Inline w/ NFQ doesn't work after reboot
From: James Lay <jlay () slave-tothe-box net>
Date: Tue, 29 Nov 2016 13:23:20 -0700
Best is to look like so: sudo iptables -nvL sudo iptables -t nat -nvL before and after testing...that should show you what packets went where. James On 2016-11-29 12:01, J Green wrote:
Will try that. This seems like a firewall or NFQ issue. Is there a way to get debug logging out of NFQ? Thank you. On Tue, Nov 29, 2016 at 10:51 AM, James Lay <jlay () slave-tothe-box net> wrote:On 2016-11-29 11:48, J Green wrote:Upon reboot, I enter those (2) iptables commands manually, before running barnyard. Still does not work. Thank you. On Tue, Nov 29, 2016 at 10:41 AM, James Lay<jlay () slave-tothe-box net>wrote:On 2016-11-29 11:31, J Green wrote:Appreciate the response. Firewalld/iptables is up. Though theonlyrule I have in there is for access to the Barnyard web gui. Thought that rules for inline were added as follows? iptables -t nat -I PREROUTING -j NFQUEUE --queue-num 1 iptables -I FORWARD -j NFQUEUE --queue-num 1 I did have this more granular, only allowing specific portsthroughthe bridge, but opened it up for troubleshooting purposes. All interfaces are up and respond to pings. I know that I ammissingsomething simple. Thank you.They are added, but once you reboot they are lost. You'll needtoeither create a script to readd them on boot or use iptables-save/iptables-restore commands. JamesOn Tue, Nov 29, 2016 at 9:25 AM, James Lay<jlay () slave-tothe-box net>wrote:On 2016-11-28 14:28, J Green wrote:Compiled Snort 2.9.8.3 & DAQ, CentOS 7 (VM). It works w/ NFQ inline. However, if I reboot the VM, NFQ nolongerseems to work. I do not see anything in the logs, etc. Here is how I am running Snort: snort -Q --daq nfq --daq-var device=eth0 --daq-var queue=1 -c /etc/snort/snort.conf & iptables -t nat -I PREROUTING -j NFQUEUE --queue-num 1 iptables -I FORWARD -j NFQUEUE --queue-num 1 barnyard2 -c /etc/snort/barnyard2.conf -d /var/log/snort -fsnort.us [1] [1] [1][1] -w /var/log/snort/barnyard.waldo -g snort -u snort Any input would be appreciated. Thank you. Links: ------ [1] http://snort.us------------------------------------------------------------------------------_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users [2][2] [2]Snort-users list archive:http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users [3][3][3]Please visit http://blog.snort.org to stay current on all thelatestSnort news!Make sure your IP tables rules are reapplied on reboot. JamesSounds like you'll want to not run snort in the background for testing...if it was me I'd packet capture as well. James------------------------------------------------------------------------------_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users [2] Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users [3] Please visit http://blog.snort.org to stay current on all the latest Snort news!Links: ------ [1] http://snort.us [2] https://lists.sourceforge.net/lists/listinfo/snort-users [3] http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users ------------------------------------------------------------------------------ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
------------------------------------------------------------------------------ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Re: Snort Inline w/ NFQ doesn't work after reboot J Green (Nov 28)
- Re: Snort Inline w/ NFQ doesn't work after reboot James Lay (Nov 29)
- Re: Snort Inline w/ NFQ doesn't work after reboot J Green (Nov 29)
- Re: Snort Inline w/ NFQ doesn't work after reboot James Lay (Nov 29)
- Re: Snort Inline w/ NFQ doesn't work after reboot J Green (Nov 29)
- Re: Snort Inline w/ NFQ doesn't work after reboot James Lay (Nov 29)
- Re: Snort Inline w/ NFQ doesn't work after reboot J Green (Nov 29)
- Re: Snort Inline w/ NFQ doesn't work after reboot James Lay (Nov 29)
- Re: Snort Inline w/ NFQ doesn't work after reboot J Green (Nov 29)
- Re: Snort Inline w/ NFQ doesn't work after reboot J Green (Nov 29)
- Re: Snort Inline w/ NFQ doesn't work after reboot James Lay (Nov 29)
- Re: Snort Inline w/ NFQ doesn't work after reboot J Green (Nov 29)
- Re: Snort Inline w/ NFQ doesn't work after reboot J Green (Nov 29)
- Re: Snort Inline w/ NFQ doesn't work after reboot James Lay (Nov 30)
- Re: Snort Inline w/ NFQ doesn't work after reboot J Green (Nov 29)
- Re: Snort Inline w/ NFQ doesn't work after reboot James Lay (Nov 29)